Human Rights Law Centre and the Law Council of Australia have asked that the federal government redraft the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, calling its contents “particularly egregious” and “so broad”.
The Bill, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new computer warrants for dealing with online crime.
“Sweeping state surveillance capacity stands in stark contrast to the core values that liberal democracies like Australia hold dear,” Human Rights Law Centre senior lawyer Kieran Pender declared to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Wednesday.
“In the past two decades, the surveillance capabilities of Australian law enforcement and intelligence have rapidly expanded, every increase in state surveillance imposes a democratic cost.”
According to Pender, each time further surveillance powers are contemplated, three questions should be asked: Are the proposed powers strictly necessary, carefully contained, and fully justified.
“We believe that the Bill in its present shape does not satisfy those criteria,” he said.
“While many of the expansions made to surveillance powers in this country in recent years have been troubling, this Bill stands out as particularly egregious because its scope encompasses any and every Australian.”

The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
“The powers offered by the Bill are extraordinarily intrusive, the explanatory memorandum and commentary by the minister indicate that powers are intended to only be used in cases of the most severe wrongdoing, yet the Bill does not reflect that,” Pender said.
He believes the Bill’s relevant offence threshold of three years imprisonment is too low and should be increased; and that the definitions provided by the network activity warrants are so expansive as to be practically unlimited in scope.
“We would urge the committee to recommend that these warrants be redrafted to prevent their application to individuals that have no involvement whatsoever in the relevant offence, otherwise, every single Australian is at risk of having their online activities monitored by the Federal Police even where they’re not suspected of having done anything wrong,” he said.
As noted in its submission on the Bill, the OAIC believes the Bill’s definition of a criminal network of individuals has the potential to include a significant number of individuals, including third parties not the subject or subjects of the warrant who are only incidentally connected to the subject or subjects of the warrant.
David Neal from the Australian Law Council further expanded on the risk posed to those peripheral to the individual/s that are the subject of a warrant.
“[The definition is] so broad that as soon as one individual suspected of a relevant offence, users, for example of WhatsApp, in theory, this Bill will allow warrant in regards to anyone who uses WhatsApp because they’re then an electronically linked group of individuals with that one person,” he said.
“Now, you know, someone defending the Bill might say, Well, you know, there are sort of all these other criteria that go to that, and we accept that to an extent, although I think those criteria needs to be more robust.”
Representatives from both organisations agreed the broad definitions within the Bill could exacerbate the risk of abuse and misuse.
“There’s all of these channels that are totally going to be sort of swept pass potentially under this under this Bill, and give rise to concerns about abuse,” Neal said.
In its submission to the PJCIS, the Law Council made a total of 57 recommendations on how to make the Bill more fit for purpose.
“The appropriate course of action we respectfully submit is for the committee to recommend that the government substantially redraft this bill before it returns to Parliament,” Pender declared.
MORE ON THE BILL More

Sophos has patched a remote code execution (RCE) vulnerability in the Firewall product line. Sophos Firewall is an enterprise cybersecurity solution that can adapt to different networks and environments. Firewall includes TLS and encrypted network traffic inspection, deep packet inspection, sandboxing, intrusion prevention systems (IPSs), and visibility features for detecting suspicious and malicious network activity.

On March 25, the cybersecurity company disclosed the RCE, which was privately disclosed to Sophos via the firm’s bug bounty program by an external cybersecurity researcher. Sophos offers financial rewards of between $100 and $20,000 for reports. Tracked as CVE-2022-1040 and issued a CVSS score of 9.8 by Sophos as a CNA, the vulnerability impacts Sophos Firewall v18.5 MR3 (18.5.3) and older. According to Sophos’ security advisory, the critical vulnerability is an authentication bypass issue found in the user portal and Webadmin Sophos Firewall access points. While the vulnerability is now patched, Sophos has not provided further technical details. Sophos Firewall users will have received a hotfix, in most cases, to tackle the flaw. So if customers have enabled the automatic installation of hotfix updates, they do not need to take further action. However, if customers are still using older software versions, they may have to update their builds to a newer version to stay protected. There is also a general workaround to mitigate the risk of attacks made through the user portal and Webadmin. Users can disable WAN access to these platforms entirely, and Sophos recommends using a virtual private network (VPN) alongside Sophos Central to improve the security of remote connections. Earlier this month, Sophos resolved CVE-2022-0386 and CVE-2022-0652, two vulnerabilities in Sophos UTM threat management appliance. CVE-2022-0386 is a high-severity post-auth SQL injection vulnerability, whereas CVE-2022-0652 is an insecure access permissions bug. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

UK budget airline easyJet has disclosed a massive data breach affecting nine million of its customers and involving over 2,000 credit-card details.  EasyJet today said it has been the target of a “highly sophisticated” attacker, which gained access to nine million customers’ email addresses and travel details.  The company said 2,208 credit-card details were accessed […] More

eyetwist / kevin balluff/Getty Images Microsoft really, really, really doesn’t want you to upgrade your old Windows 10 PC to Windows 11.  That’s the logic behind the strict hardware compatibility requirements the company imposed when it launched the new operating system in 2021. If you try to install Windows 11 on a computer with a […] More

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks.

Government officials disclosed the hacks in a joint security advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
US officials identified the Russian hacker group as Energetic Bear, a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.
Officials said the group has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.
Companies in the aviation industry were also targeted, CISA and FBI said.
The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.” [emphasis ZDNet]
The intrusions detailed in today’s CISA and FBI advisory are a continuation of attacks detailed in a previous CISA and FBI joint alert, dated October 9. The previous advisory described how hackers had breached US government networks by combining VPN appliances and Windows bugs.
Today’s advisory attributes those intrusions to the Russian hacker group but also provides additional details about Energetic Bear’s tactics.
Hackers targeted internet-connected networking gear
According to the technical advisory, Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.
Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
To move laterally across compromised networks, CISA and the FBI said the Russian hackers used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials. The group then used these credentials to roam through a target’s internal network.
In situations where the attacks succeeded, CISA and the FBI said the hackers moved to steal files from government networks. Based on the information they received, the two agencies said Energetic Bear exfiltrated:
Sensitive network configurations and passwords.
Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
IT instructions, such as requesting password resets.
Vendors and purchasing information.
Printing access badges.
“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities,” the two agencies said.
“As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised,” the two added.
News publication Cyberscoop first reported on Monday that Energetic Bear (TEMP.Isotope) was the hacker group behind the breaches reported in the first CISA and FBI alert.
Energetic Bear is also the same hacker group which targeted the San Francisco airport earlier this spring. More